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Abstract. This paper introduces a Cellular Automata (CA) based sym- 
metric key cryptosystem for block cipher. The scheme named as CAC 
(Cellular Automata based Cryptosystem) employs a series of transforms 
- simple, moderately complex, and complex - all generated with differ- 
ent classes of CA. CAC provides a low cost, high speed cryptosystem 
with desired level of security. Cryptanalysis of the proposed scheme is 
reported along with similar analysis for two popular systems - DES and 
AES. Experimental results confirm that the security of the system is 
significantly better than DES and comparable to that of AES. The en- 
cryption/decryption throughput is higher than that of both AES and 
DES. 



1 Introduction 

This paper reports a high speed, low cost cryptosystem with desired level of 
security. Its hardwired version supports real time encryption/decryption. The 
scheme referred to as CAC (Cellular Automata based Cryptosystem) employs 
different classes of transforms generated with Cellular Automata (CA). 

We currently live in an internetworked society where a large volume of dif- 
ferent classes of data travel around the globe. This electronic data transmission 
should be secured enough against unwanted interceptor. In the above context 
we aim to achieve the following objectives for design of CAC: (i) High speed 
operation, specifically on line real time data encryption/decryption; (ii) low cost 
of implementation; and (Hi) acceptable level of security. 

In this paper, we concentrate on developing an innovative cryptosystem based 
on the theory of Cellular Automata(CA). A CA can be viewed as a parallel ma- 
chine simulating a discrete dynamical system. Further, the inherent parallelism 
of CA cells with their simplicity and local interactions make it particularly suit- 
able for designing a low-cost crypto-hardware. The above mentioned advantages 
have lead researchers to design various Cellular Automata based cryptosystems 

R. Deng et al. (Eds.): ICICS 2002, LNCS 2513, pp. 303-314, 2002. 
© Springer- Verlag Berlin Heidelberg 2002 
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[2-5]. In [2] Cellular Automata is used as random m sequence generator. In [3], 
non-homogeneous Cellular Automata has been proposed for public-key cryp- 
tosystems. Gutowitz [4] uses Cellular Automata as discrete dynamical system to 
add complexity of the cryptosystem. But none of these schemes has been able 
to withstand the modern attacks developed out of the cryptanalysis techniques 
[1]. Cellular Automata based block cipher and stream cipher schemes are also 
presented in [5]. But the scheme is insecure because of its inability to change the 
key. The ability to change the key is essential for any cipher. Also the scheme, as 
pointed out in [6], generates a subgroup of affine group and not the alternating 
group. In [7] another CA based block cipher scheme was proposed. But this is 
also unable to come out from the affine group constraint and so fails to achieve 
the desired level of security. This paper removes this bottleneck while generating 
non-affine CA transform. 

The CA based cryptosystem (CAC) along with the encryption and decryp- 
tion algorithm is outlined in Section 3 after introducing CA preliminaries in 
Section 2. Discussion on cryptanalysis of CAC are covered in Section 4* A com- 
parative study with other symmetric key block-cipher like DES and AES has 
also been included in this section. Finally, a low cost pipelined architecture of 
CAC crypto-hardware is reported in Section 5. 

2 Cellular Automata Preliminaries 
2.1 Introduction to GF(2) CA 

A CA consists of a number of ceils arranged in a regular manner, where the 
state transitions of each cell depends on the states of its neighbors. The next 
state of a particular cell, as shown in Figure 1, is assumed to depend only on 
itself and on its two neighbors ( left and right ) and this leads to 3-neighborhood 
dependency. The state q E {0,1} of the i th cell at time (t + 1) is denoted as 
qt+i _ /(^_ 1) ^,qf? +1 ) J where q\ denotes the state of the i th cell at time t 
and / is the next state function called the rule of the automata [8]. Since / is a 

function of 3 variables, there are 2 2 or 256 possible next state functions. The 
decimal equivalent of the output column in the truth table of the function, as 
noted below is denoted as the rule number [8]. 

Neighborhood : 111 110 101 100 011 010 001 000 RuleNo 

(i) NextState = 01011010 90 

(ii) NextState :10010110 150 

A CA employing both XOR and XNOR local rules for different cells are 
referred to as Additive CA, while the ones using only XOR rules are noted as 
Linear CA. This class of CA is referred to as GF(2) CA in the sense that each 
of the CA cells can store an element 0 or 1 in GF(2). comprehensive treatment 
of GF(2) CA results is noted in the book [8]. 

We next generalize this structure to study of GF(2 P ) CA [10] where each cell 
is capable of processing a symbol of {0,1,- ♦ -2 P - 1 } e GF(2 P ). CAC employs 
GF(2 P ) CA that can be analyzed with the theory of extension field [9]. 
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Fig. 1. A One Dimensional null boundary 6 cell Additive CA with rule vector 

<90,150,90,150,90,150> 
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Fig. 2. General structure of a GF(2 P ) Cellular Automata machine 



2.2 Introduction of GF(2*>) CA 

The Fig. 2 depicts the general structure of an n-cell GF(2 P ) CA. The connection 
among the cells follow a three neighborhood dependency in the sense that the 
next state qi(t + 1) of the i th cell depends upon the present states of (i — l) th , 
i th and (i + l) th . The connection among the cells of the CA are weighted in the 
sense that to arrive at the next state + 1) of i th cell, the present states of 
(i - l) th , i th and (i + l) th are multiplied respectively with Wi-x, Wi and Wi+\ 
and then added. In GF(2 P ) CA each cell, having p number of FFs( Flip-Flops), 
can store values 0,1,2,- • -,(2 P - 1) and the weights being elements of GF(2 P ). 

If all the states in the state transition diagram of a CA lie in some cycles, 
it is a group CA; otherwise it is a non-group CA. Group CA can further be 
classified into maximum and non-maximum length CA. An n-cell maximum- 
length GF(2 P ) CA is characterized by the presence of a cycle of length (2 pn -l) 
with all nonzero states. On the other hand, a non-maximum length CA state 
transition diagram has a number of cycles. 

3 Cellular Automata Based Cryptosystem (CAC) 

The objectives of high speed of operation with lower implementation cost achiev- 
ing high level of security are conflicting in nature. In order to meet such conflict- 
ing demands we apply a series of transforms of increasing complexity in succes- 
sive levels. For the current vesion of CAC, four levels of transforms, as shown in 
Fig. 3, have been employed. The basic guiding factor is to achive a trade off in 
typical engineering design - realize the targeted objective with higher efficiency 
while minimizing cost. With a similar analogy, we apply low cost high speed 
linear and afline transforms in first two levels, while introducing complex non- 
affine transform at the third level to achive higher level of security. The fourth 
level is responsible for key-mixing. 
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Fig. 3. Design of the encryption scheme 



3.1 A Specific Implementation 

A specific CAC implementation is shown in Figure 4- Four different levels of 
transformations are explicitly marked as Level 1, 2, 3 and 4- Different stages of 
computation are marked as (I), (II), (HI), (IV), (V) and (VI) in Figure 4. 

The encryption algorithm is based on two different classes of group CA, 16 
cell GF(2 8 ) Major CA and 16 cell GF{2 8 ) Minor CA. The Major CA is a 
non-maximum length group CA with equal cycles of length 32. The Minor CA 
is a maximum-length CA. CAC with 16 cell GF(2 8 ) CA can encrypt 16x8=128 
bits of token at a time. Thus the token (T) size and also the key size are taken 
as 128 bits. 

Note: The size of the key and token can be adjusted by changing the number of 
cells of the CA and/or the value ofp in GF(2 P ). The basic scheme does not get 
effected by that. 

The operation of the encryption and decryption scheme is presented below. Each 
step of the operation is explained with the help of the Figure 4- 

Level 1 - Linear Transformation on Key: The key (K) used for CAC 
scheme is a bit string of length same as the number of bits used for Minor CA. 
The input key is used as the initial seed of the Minor CA. 

Role of Minor CA: The Minor CA is operated for a fixed number of clock 
cycles (d) for input of each token. Initially, the seed of the Minor CA (S 0 ) is 
the key K (marked as J in the Fig 4). For each successive input token, Minor 
CA generates a new state (marked as Sn) after running d number of steps from 
its current state (shown as 77 in Figure 4)- The state Sn is utilized for four 
different purposes: 

1. Provides the value 5 by which each byte of the input token (T) is rotated. 

2. Provides seed for equivalent Major CA synthesis. 

3. Provides the number of clock cycles (A) of Major CA operation for encryp- 
tion. 



Cellular Automata Based Cryptosystem (CAC) 



307 



Level I -- Linear Transform on Key 




Key for Next Token 



Denotes Encryption 
Denotes Decryption 
Depicts Different Security Leve I 



Level 4 - Key Mixing 



Fig. 4. Total encryption and decryption scheme 



4. XORmg the intermediate encrypted token to form the final encrypted token 

Tencr* 

Level 1 - Linear Transform on Token: The linear transformation of the 
token T to 71 is executed by rotating each byte of T by 5 amount of steps (III 
in Figure 4)- In decryption side token generated from Major CA is subjected 
to a same amount of rotation in the opposite direction. 

Level 2 — Affine Transform: Next we give an affine transform to the token T\ 
by using the Major CA. The Major CA is generated at runtime by an efficient 
synthesis algorithm [10]. The Major CA uses the input token (7i) as its seed 
and operates for A number of cycles to generate the encrypted token T2 {IV in 
Figure 4)- The Major CA has cycles of equal length 32. So, the Major CA will 
invariably return back the input token T\ after running for 32 number of clock 
cycles. So the original token is returned after running the Major CA for (32- A) 
clock cycles at the decryption side. 

Level 3 — Non- Affine Transform: A non- affine transform is achieved by 
selective use of Control Majority Not (CMN) gate. CMN gate is a non-linear 
reversible gate with four inputs(l data input and 3 control inputs) and one 
output. We will denote the control bits by ci, C2 and C3. The function is defined 
as 

y = x © {(ci - c 2 ) 0 (c 2 • c 3 ) © (c 3 • ci)} 

where © denote the XOR and • denote the AND function. The token 72 is 
subjected to CMN gate depending on the result of a function called Majority 
Evaluation Function. The Majority Evaluation Function takes the 5 bits, referred 
to as fixed-bits, of T2 and calculate the number of l's in these bits. The 5 bit 
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positions axe selected depending on Sn (Figure 4)- If the number of l's is greater 
than 2 then each bit of 72 except these fixed-bits are subjected to CMN gate. 
Otherwise, T2 remains as it is. In any case, we call the resultant token as T$ (V 
in Figure 4)- Two sets of control bits taken from Sn applied to the CMN gate 
alternately. The fixed-bits have to be remained fixed because during decryption 
the same fixed-bits will require to get the same result from majority evaluation 
function. 

Level 4 — Key Mixing: To enhance the security and randomness, we generate 
final encrypted token Tencr by XORing the Minor CA state Sn with the token 
T${VI in Figure 4)- 

The algorithm for encryption and decryption process is presented next. 

Algorithm 1 Encryption 

Input: input file to be encrypted 
K=key 

Output: encrypted file 
begin 

Step 1. Divide the file into 128 bit tokens (T). 

Step 2. Load initial seed of Minor CA So=K 

For each token T begin loop 

Step 3. Run the Minor CA for d time steps and obtain Sn 
Step 4. Obtain S from Sn ■ Rotate T by S number of times and obtain T\ 
Step 5a. Randomly synthesize Major CA (CAmaj) using Sn as seed 
Step 5b. Obtain A from Sn 

Step 5c. Run CAmaj for A time steps with 71 as seed to obtain Ti 

Step 5d. S 0 =T 2 

ifTi satisfies MEF 

Step 6a. Obtain the 2 sets of Control bits for CMN gate 

Step 6b. Apply CMN gate to non-fixed bits ofTi using the Control bits 

alternately 
Step 6c. Assign the result to 75 

end if 

Step 7. XOR T3 with S N to get Tencr 
Step 8. write Tencr in output file 
Go to Step 3 untill the input file is exhausted 

end 



Algorithm 2 Decryption 

Input: input file to be decrypted 
K=key 

Output: decrypted file 
begin 

Step 1. Divide the file into 128 bit tokens (Tencr) 
Step 2. Load initial seed of Minor CA Sq=K 
For each token Tencr begin loop 

Step 3. Run the Minor CA for d time steps and obtain Sn 

Step 4. XOR Tencr with S N to get T 3 

if Tz satisfies MEF 
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Step 5a. Obtain the 2 sets of Control bits for CMN gate 

Step 5b. Apply CMN gate to non- fixed bits of Tz using the Control bits 

alternately 
Step 5c. Assign the result to Ti 
end if 

Step 6a. So =75 

Step 6b. Randomly synthesize Major CA (CAmaj) using Sjv as seed 
Step 6c. Obtain A from Sn 

Step 6d. Run CAmaj for 32- A time steps with Ti as seed to obtain 71 
Step 7. Obtain 8 from Sn • Rotate T\ by 5 number of times in reverse order 

and obtain T. 
Step 8. Write back T into output file 
Go to Step 3 untill the input file is exhausted 

end 



4 Analysis of CAC 

4.1 Different Levels of Security 

Large Key Space: The number of possible key is very large (2 128 ) and all 
key are equiprobable to occur. This randomness in key generation gives random 
probability distribution in key space. Since we can change the size of the minor 
and major CA the key size can also vary. So we can have a variable key space 
of any arbitrary size. 

Security Level 1 - Linear Transformation: Each byte of token T is sub- 
jected to a random rotation decided by Minor CA state. Since Minor CA is an 
excellent pseudo-random generator [8], this rotation of token introduces a degree 
of randomness to the input token. 

Security Level 2 - Affine Transformation and On-line Synthesis of 
Major CA: The state transition of a Major CA which is additive generates 
an affine transformation. 

On the fly generation of Major CA reduces the memory requirement by a 
large amount and as well as enhances the security. The number of all possible 
CA having the cycle structure of Major CA is higher than 2 128 [10]. Thus, each 
seed (Sn) produces different Major CA providing us with the huge possibility 
of 2 128 different Major CA. This ensures that each key value (K) will encrypt 
differently and no key will be superfluous. Thus the CAC satisfies one of the 
important criterion of a secure cryptosystem. The criterion is specified by the 
following theorem: 

Theorem: [11] A necessary condition for a cryptosystem to have a perfect secrecy 
is that it to have at least as many keys as messages. 

Security Level 3 - Non-affine Transformation: This is a non-afnne re- 
versible CA transform which enables CAC to generate a non-afnne group which 
is the alternating group. The affine group is a small subgroup of the alternating 
gro\ip(Fig. 5). The analytical proof that the CAC scheme generates alternating 
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Set of odd permutations 



S — Permutation group 

Fig. 5. Description of the permutation group 

group is quite exhaustive and so omitted for short of space. Thus CAC, be- 
ing able to generate the alternating group which is much larger than the affine 
group, satisfies another important criterion of a secure cryptosystem which says 
that ability to generate the alternating group on the message space is one of the 
strongest security conditions. 

Security Level 4 - Key-mixing: The intermediate token {%) is next XORed 
with the state Sn of the minor CA. This is very simple and takes only a single 
clock cycle. But it makes the encrypted token (T en cr) totally unpredictable. The 
only way to return back to the original string is to randomly try with 128 bits 
which will cost 0(2 128 ) operations, for every token. 

Security Level 5: In order to further increase the level of security, our scheme 
can be used in bricklaying mode which will use multilevel encryption. This can 
be done with a minor increment of the cost while using the same basic structure 
reported in Fig. 4. 

4.2 Cryptahalysis of CAC 

The acceptance of any cryptosystem depends on its sustainability against various 
cryptanalysis attacks. Most important cryptanalysis are differential cryptanaly- 
sis [1] and Shannon's notion of perfect secrecy test [12]. We perform both these 
tests on CAC and as well as on DES and AES for the sake of comparison. 
Results of Differential Cryptanalysis: We perform differential cryptanalysis 
with 50 different files having 11 different size. For each file, we take different fixed 
input differences to get the output probability distributions and the average value 
of the standard deviations for them is calculated. We also perform the same for 
DES and AES systems. The results are reported in Table L Column Hoi Table 
1 depicts the average mean standard deviation for CAC, where the same for 
DES and AES noted in Column III and Column IV respectively. The results 
for the current version of CAC is significantly better than that of DES and 
comparable to AES. It can also be noted from the results that the percentage 
of the standard deviation is around 4.0 whereas 10% is sufficient for a system to 
be considered as secured. 

Results for Shannon's Security Quotient: We perform the Shannon's se- 
curity test on CAC with 50 files for 9 different size and also perform the same 
on other cryptosystems (DES, AES) for the sake of comparison. Column II of 
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Table 1. Differential Cryptanalysis of our scheme and Comparative Study with DES 
and AES 



Input file 


Avg. Std. Devi of 


Avg. Std. Devi of 


Avg. Std. Devi n of 


size \NiD) 


A CJ/t aistriDutions 


au it aistriDutions 


aUa aistriDutions 




for CAC (%) 


for DES (%) 


for AES (%) 


1 


4.36 


31.95 


4.2 


2 


4.30 


30.03 


4.0 


4 


4.26 


29.05 


3.63 


6 


4.17 


28.24 


3.62 


8 


3.91 


28.10 


3.67 


10 


4.02 


28.89 


3.52 


12 


3.89 


28.74 


3.51 


14 


3.55 


28.52 


3.48 


16 


3.40 


27.86 


3.43 


18 


3.42 


27.74 


3.26 


20 


3.59 


27.67 


3.24 



Table 2. Measurement of Shannon's Security Quotient and comparative study with 
DES and AES 



Input file 


Shannon's Security 


Shannon's Security 


Shannon's Security 


size (MB) 


Quotient (tf) 


Quotient (tf) 


Quotient (tf) 




of CAC(%) 


for DES(%) 


for AES(%) 


2 


14.1605 


14.2374 


14.2345 


3 


11.5527 


11.5531 


11.5706 


4 


10.1060 


10.2507 


10.1675 


7 


7.5640 


7.9141 


7.6014 


8 


7.1182 


7.1468 


7.7046 


9 


6.7043 


6.7139 


6.7136 


13 


5.5868 


5.5645 


6.0266 


14 


5.3636 


5.4001 


5.4625 


15 


5.2097 


5.3157 


5.5552 



Table 2 gives the average value of Security Quotient for our scheme calculated 
for different keys on each file size. The results show that our scheme fulfills the 
primary security level defined for any secure cryptosystem. Column HI and IV 
of Table 2 report the Security Quotient for DES and AES respectively, which 
establishes that CAC is better than DES and AES as far as Shannon's security 
notion is concerned. 

4.3 Execution Time of Software Version 

The main attractive feature of our CA based encryption scheme is its high 
speed of operation. Cellular automata are inherently parallel, so higher speed of 
execution of CAC is a natural outcome. 

We have developed non-optimized reference code for CAC. Both the CAC 
and AES are run under same environment of P — Ji7, 633 Af Hz processor to 
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Table 3. Comparison of time of software version of CAC and AES 



Input file 


CAC 


AES 


AES 


size 


Reference 


Reference 


Optimized 


(in MB) 


Code(in Sec) 


Code(in Sec) 


Code(in Sec) 


1.00 


2.70 


10.00 


0.87 


2.00 


5.00 


25.20 


0.89 


3.00 


7.00 


36.40 


1.90 


4.24 


9.80 


42.36 


2.25 


5.14 


11.00 


56.78 


2.79 


6.108 


11.30 


59.34 


3.2 


7.125 


16.00 


79.86 


3.4 


8.00 


17.91 


87.10 


3.9 


9.76 


23.30 


116.67 


4.0 


10.30 


23.7 


121.53 


5.11 


11.40 


27.40 


136.40 


5.20 


12.00 


27.90 


140.21 


5.4 



generate the results of Table 3. CAC reference code can be found to be sig- 
nificantly faster than that of AES. The optimized CAC code for commercial 
application is being developed. Preliminary results indicate that the optimized 
code of CAC will be faster than that of AES. However, the main advantage of 
CAC can be derived from its hardware version which is presented in the next 
section. 

5 Cryto-Hardware Based On CAC 

The pipelined architecture of CAC hardware is shown in Figure 6. The data 
path has five stages as explained below: 

Stage 1 - Minor CA Implementation: It accepts the input key and control 
signals from Control Block and CA Synthesis Hardware block for on the fly 
generation of minor CA. 

Stage 2 - Barrel Shifter Implementation: Its input register accepts the 
plain text token. The shift control of Barrel Shifter comes from Stage 1. 
Stage 3 - Major CA Implementation with 3 Sub-Blocks: The three sub- 
blocks of this stage are flip-flops, a set of switches to implement Programmable 
CA(PCA) and an array of XOR gates. The control of the PC A to generate 
different major CA comes from the CA synthesis hardware. 
Stage 4: It covers the implementation of CM7V(Control Majority Not) logic 
along with evaluation of majority function on the pseudo exhaustive fields of 
major CA. 

Stage 5 - The XOR operation: The input to this stage is the token coming 
from Stage 3 and the minor CA state. 

Two inter-stage pipeline registers are introduced between Stages 3 and 4, 
and also between 4 and 5. Different features of CAC crypto-hardware are next 
reported: 



Cellular Automata Based Cryptosystem (CAC) 313 



12& bits Key 



Key Generation ^ Module 



Input Register 
I 128 b its' 



CA Synthesis 
Hardware 



CA Rule 
Register 



* Rl and R2 are Intermkiiate 
Pipeline Register 



Stage 1 



123 bits Token 



Message Handling Module 



Input Register 



S tage 2 



B5 



Major 



Array of 128 DFFs 



Array of Switches 



128 x 23 2 input 
XOR Array 



Stage 3 



Rf I 

X 128 bits B S 



Majority Evolutioi 
Control Signal 



Stage 4 



~R2 1 



-0 



128 bits 



StageS 



Final Output Register 



128 bits Cipher Text 

Fig. 6. Block Diagram CAC Hardware 



A verilog code has been written for the design and simulated using Cadence 
Verilog Simulator on a Sun Ultra-60 machine. 

The design has been synthesized and analyzed using Synopsis Design Com- 
piler and Signal Scan. 

The design has been implemented with 0.25fiCMOS technology. 

The pre-layout area estimate of the non-optimized design is 4.25 x 10 6 sq. 

micron. 

Static timing analysis of one complete run of CAC implementation on 128 
bit plain text confirms correct operation of each stage with 1 GHz clock. 
For multiple rounds of operation(for the current implementation it is 4), the 
pipe line stages gets extended 4 times. 

The pipelined crypto-hardware throughput as per above timing analysis is 
128 Gb/sec. 

Note: (i) Even if we assume 25% reduction of throughput for delay associated 
with silicon implementation, the throughput will be close to 100 Gb/sec. (ii) 
By contrast the full round Rijndael chip produced by NSA(National Security 
Agency) on O.bCMOS technology exhibit throughput of 5.7 Gb/sec. This is 
much lesser than the throughput of full round CAC chip. 
Key generation hardware has been integrated within CAC implementation. 
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6 Conclusion 

The CA based cryptosystem presented in this paper shows a very low cost, 
high speed encryption scheme with very high cracking complexity. The different 
cryptanalytic tests on our scheme shows that it satisfies primary security crite- 
rion and better than DES, AES. Its throughput is better than that of AES. 
The hardware version of CAC suits ideally for real time applications. 
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Abstract — This paper introduces a new technology that 
combines compression and encryption into a single operation 
referred to as Encompression. This novel scheme is based 
on a special class of a sparse network - known as Cellular 
Automata (CA). The simple, regular, modular, cascadable, 
local neighborhood structure of CA ideally suits for low cost, 
online Encompression to support efficient data transmission 
with desired level of security. A pipeline architecture has 
been proposed for hardwired realization of Encompression 
operations. 
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- DECOMPRESSION 
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ENCRYPTION 



DECRYPTION 



Fig. 1. Basic architecture of encompression 



L Introduction 

The intemetworked society of cyber age has been expe- 
riencing an explosion of data communication. The volumi- 
nous data of different type (text, image, video, audio, per- 
sonal/business data) are transmitted over wired/ wireless 
channels around the globe. The user community availing 
this facility are concerned about the hackers intruding into 
their data files transmitted over the public network. Fur- 
ther, notwithstanding the growth of channel bandwidth, it 
will always fall short of the demand for higher speed of 
transmission of larger volume of data from enlarged user 
community. 

In the above background, efficient and secured data 
transmission demands due attention on following areas: 
(i) an efficient compression technique to reduce the data 
rate at source; (ii) an encryption scheme to ensure secured 
transmission; and (iii) low cost high speed execution of 
both operations. 

Traditionally, the development of these two areas- com- 
pression and encryption have been undertaken by differ- 
ent research groups employing totally different techniques. 
However, a single technology supporting both compression 
as well as encryption is highly desirable for this internet 
age. This paper bridges this gap and proposes a single 
technology - referred to as Encompression, supporting both 
encryption and compression. The sole objective of this new 
technology is to provide support for efficient transmission 
of data with desired level of security. 

.II. Encompression - An overview 

Encompression covers two operations - encryption and 
compression. Fig.l shows the basic architecture of Encom- 
pression operations where the input data passes through 
the pipeline in a streaming mode. Currently, we have de- 
veloped prototype encompression package to handle image 

tThe Patent Application No. 384/cal/2000 has been filed for En- 
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and video files for which lossy compression techniques can 
be employed. 

A static image or a video file is applied as an input to 
Stage 1 (Fig.l). The data file is encoded through the lossy 
compression technique in this stage. The encoded data 
enter in a streaming mode to the next stage and gets en- 
crypted by an encryption process in Stage 2. The encom- 
pressed data is transmitted through the communication 
channel. At receiver end, the encompressed data is first 
decrypted by the same key and original encoded data is 
retrieved in Stage 3. This encoded data is finally decoded 
in Stage 4 by the decompression process. The Stage 3 and 
Stage 4 again operate with data streaming through these 
stages. Next two subsections present an overview of com- 
pression and encryption techniques employed for Encom- 
pression operation for video telephony /conference applica- 
tion. 

A. Compression 

Lossy Data Compression is a process of reducing the 
amount of data required to represent a given quantity 
of information with acceptable loss. It removes redun- 
dancy, repeatability and irrelevancy of data blocks of in- 
put file to generate compressed output. In order to 
demonstrate the capability of encompression technology, 
we have concentrated on Lossy Compression for Video Tele- 
phony/Conference application involving image of human 
portrait. This compression technique is next extended to 
compress a specific class of video files. 

The well known Vector Quantization (VQ) (3] method 
has been applied to generate the codebook from the train- 
ing set of human portrait. Even though considerable re- 
search has been done on the application of VQ for image 
compression, the scheme has not become popular for real 
life applications. The reasons for this non-acceptance lie 
on the following two inherent drawbacks of the scheme - 
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good quality of image/video with high compression ratio; 
and (ii) the high processing overhead at encoding stage. 

These two problems are addressed in this paper with the 
methodologies elaborated next, (i) Rather than develop- 
ing general compression scheme for any arbitrary class of 
data files, we concentrate on developing the compression 
scheme for a specific class to improve the quality and com- 
pression ratio. We extract the domain knowledge from the 
specific class of data files - in the present case it is human 
portrait. This knowledge is next used to generate the code- 
book. The same codebook will serve for other image/video 
data files which has the same characteristic of variation of 
pixel values, (ii) The encoding time is reduced substan- 
tially by employing Cellular Automata (CA) technology as 
an implicit memory. 

B. Encryption 

Encryption is an effective way to protect data against 
eavesdropping. Again, the CA technology has been em- 
ployed to design a low cost, high speed Cryptosystem. It 
employs a series of four-reversible CA transforms (Fig. 11). 
on the plain text to arrive at the cipher text The details 
of the scheme is reported in [5]. Only a summary of CA 
based encryption scheme is reported in Section V for space 
constrain. A brief introduction to CA theory follows. 

III. Cellular Automata (CA) 

A Cellular Automaton (CA) can be viewed as an au- 
tonomous finite state machine (FSM) consisting of a num- 
ber of cells. The next state of a cell depends on its own 
state and the states of its right and left neighbors. 

Linear/Additive CA: An n-cell Additive CA is char- 
acterized by an n x n characteristic matrix (T matrix) and 
an n-dimensional inversion vector F [1]. The elements of 
characteristic matrix T is represented as 

j, _ f 1, if next state of i th cell depends on j th cell 
* J — \ 0, otherwise. 

and the inverse vector F is defined as 

n _ f 1, if next state of i th cell results from inversion 

1 — \ 0, otherwise. 
The state transition behavior of an Additive CA can be 
characterized by the following relation : 

f t+1 (x)=Txf t (x) + F(x) (1) 

where f t (x) and ft+i(x) represent the CA states at t th and 
(t + l) th instant of time respectively. 

If all the states in state transition diagram of a CA lie 
in some cycles, it is a group CA; otherwise it is a non- 
group CA. Both group and non-group CA are employed 
in encompression technology. 

Group CA can further be classified into maximum and 
non-maximum length CA. Fig. 2 shows the state transi- 
tion diagram of a maximum length group CA; while Fig. 3 
depicts a non-maximum length group CA. 

The state transition graph of a non-group CA consists 
of a number of cyclic and non-cyclic states (Fig. 4). The set 
of non-cyclic states form an inverted tree rooted at cyclic 
state (attractor). A CA whose state transition diagram 
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Fig. 3. A non-maximum length group CA 

as Multiple Attractor CA (MACA) (Fig.4). Detailed char- 
acterization of MACA is available in [1]. 

Non Linear CA: A CA employing non-linear rule with 
AND j OR logic, is known as non-linear CA. A non-linear 
group CA has been used in CA based cryptosystem (CAC) 
to realize non-affine transform. 

IV. CA Based Lossy Compression 

Vector quantization (VQ) is a lossy data compression 
method [3] . It maps the n dimensional vectors in the vector 
space R n into a finite set of vectors, called the codebook. 
Each vector of the codebook is known as codevector or 
codeword. A cluster is the set of vectors having minimum 
deviation from the codevector. Thus each codevector is the 
nearest neighbor of the set of vector in a cluster. A VQ 
method mainly consists of two operations- (i) an encoder 
- to encode each block of input file with the index of a 
codevector in the codebook, and (ii) a decoder - to get 
back the representative block from the codebook. 

The encoder, as shown in Fig. 5, takes an input vector 
and outputs the index of corresponding codevector from 
the codebook that gives minimum deviation. The index 
of the codevector is sent to receiver end. The decoder, 
on receiving this index file, replaces each entry with the 
associated codevector found from the codebook kept on 
receiver side. Codebook Generation plays a key role in VQ 
scheme. 

A. Codebook Design 

Codebook design consists of two steps- (i) design of train- 
ing set; and (ii) generation of codebook. Each step is illus- 
trated with reference to Fig. 6. 

Design of training set: The training set has been de- 
signed out of 20 different human-face images with wide 
variation of pixel values. Each image of training set is seg- 
mented into 16 x 16 blocks that is subsequently processed 
in following three sequential steps: 

Stepl : Calculate norm (Standard Deviation) of each 16 x 
16 pixel block. If the norms match the pre-specified criteria 
(say SDl as shown in Fig. 6), it is stored as a member of 
16 x 16 training set, else referred to as 16 x 16 residual 
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Fig. 4. A 5-cell non-group CA (MACA) 




Fig. 5. Encoder and Decoder 



Step2: Each member of residual 16 x 16 training set is 
broken into four 8x8 pixel blocks. Next, we calculate 
the norms of each 8x8 blocks and compare with the pre- 
specified criteria (say SD2as shown in Fig. 6). If the norms 
match the criteria, then it is stored as 8 x 8 training set. 
Otherwise it is referred to as the residual of 8 x 8 training 
set to be processed in the next step. 

Step3: Each 8x8 residual block is broken into four 4x4 
pixel blocks. Calculate the norms of each 4x4 blocks and 
compare with the pre-specified criteria (say SD3 as shown 
in Fig. 6). If the norms match the criteria, then it is stored 
as 4 x 4 training set. Otherwise the blocks are discarded. 

The matching criteria SDi (Standard Deviation) has 
been fixed on the basis of statistical characteristics of 
16 x 16, 8 x 8 and 4x4 pixel blocks of the training set. 

Codebook Generation: To design the codebook from 
three training set (16 x 16, 8 x 8 and 4x4), we have 
used Prune Tree Structured Vector Quantization (binary 
tree) (PTSVQ) [3] method. Three codebooks are gener- 
ated from three different training sets as shown in Fig. 6. 
The mean value is computed for each training set. The 
PTSVQ is applied on mean removed vectors. Each ele- 
ment of the vector after subtraction of the mean value is 
known as mean removed vector. At the time of encoding, 
a 16 x 16 pixel block is taken from the image sequentially 
and depending upon the match criteria it is coded either 
by the codebook indices for 16 x 16 or broken to four 8x8 



a 8 x 8 pixel block, if a proper match in the codebook is 
absent, it is treated as a collection of four 4x4 blocks and 
coded by four indices from the 4x4 codebook. A sepa- 
rate match hie is kept to track the sequence of indices from 
different codebooks. 

The VQ scheme we have implemented is a combination of 
mean removed VQ, PTSVQ, Classified VQ, and Address 
VQ (Partially). In binary PTSVQ, if N is total number of 
codebook entries, the depth of the tree is log2N. So, time 
required to search each block is log2N. As a result, if the 
codebook entry increases, the time required to search the 
best match increases. A significant improvement is needed 
to find the best match of a given input block with codebook 
entry. This is specifically true for on-line transmission of 
image and video data. A scheme based on CA technology 
is next reported to reduce the search time. 
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Fig. 6. Block diagram of codebook generation scheme 

CA as Implicit Memory to Store and Search 
Codebook: To reduce the encoding time of VQ, we em- 
ploy MACA which effectively acts as a codebook. The de- 
tails of MACA characterization is available in [1]. MACA 
is used to classify the set of patterns (codebook entries). 
The binary search for best match in codebook is imple- 
mented with an MACA based multi-class classifier realized 
with multi-stage two class classifiers [6]. 

In order to identify the best match in binary PTSVQ 
scheme, the input vector is compared with two centroid 
of two vector clusters in each layer of the tree and one of 
the branches is selected according to matching criterion. A 
vector cluster represents a set of entries in a codebook. A 
sequence of comparisons are done in subsequent levels till 
the leaf node is reached. We have designed MACA based 
two class classifier to model the comparison operation at 
each node of PTSVQ binary tree. The pixel blocks of the 
training sets employed for design of codebook and PTSVQ 
binary tree is also used as input for design of MACA based 
two class classifiers [6] . A set of MACA are generated that 
acts as multi-class classifier of the vectors in a codebook. 

Fig. 7 illustrates the design of MACA set for a code- 
book. Suppose, we want to classify the pattern set C = 
{{5 0 },{5i},{5 2 },{5 3 }} into four classes - 0, 1, 2 and 3 
such that the classifier would output correct class i (i = 
0,1,2,3) for a given input codevector Pi e {Si}. At the_first_ 
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and C u where C 0 = {{So}, {Si}} and C x = {{S 2 }, {S 3 }}. 
The MAC A (To) is designed to classify two distinct classes 
Co and C\. Fig.7 represents two classes Co and C\ along 
with the MAC A (T 0 ). The same process is then applied 
for Co and C\ to isolate {S 0 }, {Si} and {S 2 }, {S3} respec- 
tively and to generate two MAC As - T\ and T 2 . Thus the 
logical structure of multi-class classifier {Fig.7) is equiva- 
lent to PTSVQ binary tree representing a codebook. 

For a given codevector Pi (Pi € Si), we need to identify 
the codebook entry (that is the codeword) closest to Pi- 
At the prediction phase, the codeword Pi is given as input 
and its class is identified as follows. At the first stage, the 
classifier designed with the MAC A (T 0 ) is loaded with Pi 
and allowed to run. It returns the desired class Co- In next 
level, the classifier of (T\) is loaded with .Pi to output the 
class Si. 
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Fig. 7. Structure of multi-class clasifier equivalent to PTSVQ 

Experimental Results of static images: The algo- 
rithm is applied on different standard pictures of human- 
face. Experimental results, reported in Table /, represent 
the PSNR values as well as compression ratio of the set 
of images when compressed and decompressed using the 
proposed scheme. Fig. 8 shows the comparative study of 
original and decompressed images. The experimental re- 
sults of Fig. 8 and Table / confirm high PSNR value with 
a compression ratio in range of 98.50% to 98.83%. 

TABLE I 
Results of Static Image 



Image 


PSNR 


Compression 


File 




Ratio (%) 


lena 


33.36 


98.83 


girl 


34.91 


98.73 


ProjlO 


32.69 


98.64 


Projl2 


27.71 


98.66 


Projl7 


29.26 


98.50 


Projl8 


31.40 


98.83 


Projl9 


29.04 


98.70 


Proj20 


28.94 


98.48 


Proj21 


28.68 


98.25 


Proj22 


30.42 


98.75 



B. Application of Human- face codebook 

On successful implementation of compression of still im- 
age of human face, we have explored the possibility of using 
the codebook generated for human-face in other application 
domains. We analyze the probability of occurance of pixel 
values of the training set of the human-face image. Fig. 9- 




Fig. 8. Original and decompressed images 
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Fig. 9. Probability of occurrence of pixel values 

value. This is computed by Gaussian function [7]. The 
other application domain which has characteristics similar 
to Fig. 9- (a), can use the same codebook for compression. 
We have experimented with two video files. Prom the 'toy 
video' file a set of frames are selected as training set. Prob- 
ability of occurance of different pixel values, as noted in 
Fig. 9- (a), gets identified with Fig.9-(b). The close similar- 
ity of two groups confirms that the human-face codebook 
can be used in the application domain of 'toy video'. The 
experimental results of two 'toy video' is reported in Table 
II and Fig. 10. The high compression ratio and good qual- 
ity of video frames establish that the human-face codebook 
can be applied to other application domains having simi- 
lar characteristics in respect of probability of occurance of 
pixel values. 

V. CA Based Encryption (CAC) 

In general, the encryption employs a series of four- 
reversible CA based transforms (Fig. 11) on plain text to 
arrive at cipher text. The basic idea of introducing a se- 
ries of transforms - simple, moderately complex, and more 
complex - is to achieve desired level of security with min- 
imum cost and high speed execution. Transform at each 
level is dependent on some function of the input key. The 
length of a key can be easily varied exploiting the modular 
and cascadable structure of CA. 

The first level of encryption, (Fig. 11) is a linear trans- 
form of the input key and also on plain text, the later 
one being implemented by rotating each bytes of the to- 
ken. At the second level, an affine transform is introduced 
with an additive CA. A non-affine transformation is next 
implemented by employing a non-linear reversible CA [5]. 
Finally, a linear transform is employed with a simple XOR 
operation. 

Acceptance of any cryptosystem depends on its crypt- 
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Fig. 10. Toy video sequence (original & decompressed) 

TABLE II 
Results of 'Toy Video' 



Video 


No. of 


PSNR 


Compression 




frames 




Ratio (%) 


toyl 


100 


31.14 


98.66 


toy2 


50 


32.44 


98.50 



differential cryptanalysis [2] and Shannon's notion of per- 
fect secrecy test [4] on CAC. For the sake of comparison 
we also subject AES and DES to these two tests. 

The experimental results of Differential cryptanalysis 
and Shannon's Security Quotient for CAC with the AES 
and DES are shown in Table III and IV. These results 
clearly establishe that the quality of security level of CAC 
is better than DES and comparable to that of AES. The 
CAC codesize is 3.20 KB. It comes down below 3.0 KB 
with hardware-software co-design [5] . The execution speed 
of CAC is noted in TableV. Thus the average through- 
put of the current version of encryption package is 2.20 
Mbit /sec. 

VI. Experimental Result of Encompression 

The experimental result of each stage of Encompres- 
sion operation is shown in Fig. 12 for the example image 
of 'iexia'. First, the image is compressed at Stagel and 
the index file is generated. In Stage2, the index file is en- 
crypted by the key 'aocde/ 1234 5'. The decryption process 
decrypts the encrypted file by the same key and regenerates 
the index file (original) at Stage3. At final stage (Stage3), 
this file is decompressed and the image is retrieved. The 
size of the file at each stage is shown in Fig. 12 with its 
ASCII character. 

VII. Pipelined Architecture of Encompression 

The pipeline architecture of Encompression hardware is 
shown in Fig.H. The linear/additive CA used for the En- 
compression can be realized out of the PC A structure of 
Fig. 13(a). Each such PCA has 4 switches and a MUX 
(Multiplexer) to configure any linear /additive rule on a 
CA cell. By contrast the Universal Programmable CA 
(UPCA) as shown in Fig. 13(b) can be configured with 
linear /additive /non-linear CA rules. It requires 8 num- 
ber of 2-to-l MUX to incorporate the rule of a CA cell. 
The output of the MUX is the input to one 8-to-l MUX. 



DcojpttB 



Ran Tea 

i 

linear „ 1 

Transformation 



^Tfjnsfonmtiffl 



GioopCA i 



XORing 
Wotmed Tt 



Key Mixing 



' Auric of i 
in n aft i ptc b?d 

* Apply transform T at 
levdlj i=LU4 

,Tj ►Linear 
t \ -Affinc 

•1 " Nra-Affine 
*\ ►linear 



Note : Non-Affinc essentially refers 
to 3 Nod- Lineai Transform 



Gpher Ten 

Fig. 11. Block diagram of encryption scheme 

TABLE III 
Differential Cryptanalysis 



Input file 
Size (MB) 


Avg. Std. Devi n of XOR Distributions 


CAC{%) 


DES{%) 


AES(%) 


2 


4.30 


30.03 


4.0 


6 


4.17 


28.24 


3.62 


10 


4.02 


28.89 


3.52 


14 


3.55 


28.52 


3.48 


20 


3.59 


27.67 


3.24 



as the control input of this 8-to-l MUX. While UPCA is 
used for CAC scheme, the MAC A has been realized with 
PCA Different stages of Encompression hardware of Fig. H 
basically implements the architecture of Fig.l where data 
flows through the pipeline in streaming mode. 

Stagel: This stage implements the MAC A based en- 
coding sheme. Rule vectors of MAC A realizing the multi- 
class classifier are stored in programme memory as shown 
in Fig. 14. The input block of image is stored in the in- 
put register. The control block configures PCA1 with rule 
vector and run for a cycle by taking the input register 
value. The output of PCA1 is stored in intermidiate reg- 
ister (inter _reg). The control block select next rule vector 
on the basis of the intermidiate register value. The process 
is continued until the class of the block is identified. The 
index of the identified input block is stored in buffer B\. 

Stage2: The encryption block is enabled by 'end signal 
when Bl buffer is filled with 128 bit value. The PCA2 is 
as an UPCA. It performs 4 level of operations as shown in 
Fig. 11 with the Bl value as token. Final encrypted token is 
generated and stored in buffer B2. 

Stage3: The decryption process use the same circuit of 
encryption. The reverse process is implemented by activat- 
ing the 'dec* signal. The control block, configures PC A3 
(an UPCA) to perform the 4 levels of operation in re- 
verse order to retrieve original index. The retrieved index 
is stored in buffer B3. 

Stage4: The index stored in B3 is used to address the 
codebook memory to read out the pixel block. 
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TABLE IV 

Measurement of Shannon's Security Quotient 



Input file 
Size (MB) 


Shannon's Security Quotient (i?) 


CAC(%) 


DES(%) 


AES(%) 


2 


14.1605 


14.2374 


14.2345 


4 


10.1060 


10.2507 


10.1675 


8 


7.1182 


7.1468 


7.7046 


13 


5.5868 


5.5645 


6.0266 


15 


5.2097 


5.3157 


5.5552 



TABLE V 

Comparison of Execution Time of Software Version 



Input file (MB) 


AES (sec) 


CAC (sec) 


2.78 


2.52 


1.20 


7.68 


8.67 


4.21 


11.80 


14.10 


6.90 


14.81 


18.10 


8.80 


23.76 


29.53 


14.61 



simulated using Cadence Verilog Simulator on Sun Ultra- 
60 machine. The design has been implemented with 0.25/i 
CMOS technology. The pre-layout area estimation of the 
non-optimized design is 4.25 x 10 6 sq. micron and timing 
analysis of one complete run of CAC is 1GHz. clock. The 
other modules (Stage i & Stage 4) are under implementa- 
tion. 

VIIL Conclusion 

This paper presents a new technology known as Encom- 
pression that combines both compression and encryption 
into a single operation. The sparse network of CA has 
been employed for low cost, online Encompression to sup- 
port efficient data transmission with desired level of secu- 
rity. A pipeline architecture of the proposed scheme is also 
outlined. 
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Fig. 12. Result of encompression at each stage 




Fig. 13. Programmable CA (PCA) & UPCA cell structure 
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Fig. 14. Pipelined architecture of encompression hardware 
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